A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers.
The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites.
The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam. However, other compromised companies were located in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.
Researchers first detected the activity of the group in November 2023, and tracked the massive malicious campaign targeting employment agencies and retail companies. Due to the criminals’ focus on job search platforms and the theft of resumes, the researchers dubbed the group ResumeLooters.
The stolen data is hard to quantify given the amount of sources, but it may include names, phone numbers, emails, and dates of birth, as well as information about job seekers’ experience, employment history, and other sensitive personal data.
The stolen data were put up for sale on Chinese-speaking Telegram channels. This and other indicators make it very likely that the group is of Chinese origin.
If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
Password Manager LastPass has warned about a fraudulent app called “LassPass Password Manager” which it found on the Apple App Store.
The app closely mimics the branding and appearance of LastPass, right down to the interface. So, even if the name was a “happy accident” it seems clear that this was a purposeful attempt to trick users installing the fake app.
The fake app can be recognized not only by the name, but other misspellings in the screenshots, and the app lists Parvati Patel as the developer and the privacy policy as hosted at bluneel[.]com. The developer of the legitimate LastPass app is LogMeIn, Inc.
While using a genuine password manager provides extra security, entrusting your passwords to an app that is a rip-off does not. Obviously, storing all your passwords in an app that is not trustworthy can get you in all kinds of trouble, including identity theft.
We have not tested if the app sends your passwords to a third-party, but we should assume that it does just that.
In the App Store the impersonator claims to be “Trusted by over 1+ million users and 10,000+ businesses” which clearly can’t be right and was most certainly copied from LastPass.
LastPass states that it is:
“… actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property“
But at the time of writing the app was still available in the Apple App Store.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.
Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.
This joint guidance comes alongside a joint Cybersecurity Advisory (CSA) called PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.
These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.
The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat (APT) group known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.
In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.
As Jen Easterly, the director of CISA put it in a hearing before the House Select Committee
“We have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.”
And it’s not just the US. The Dutch Military Intelligence Service (MIVD) found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.
The Living of the Land (LOTL) guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.
So, it’s important to be aware of what your cybersecurity team, internal or managed (MDR) should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.
The guidance stipulates that LOTL is particularly effective because:
Many organizations lack effective security and network management practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
There is a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.
It enables cyber threat actors to avoid investing in developing and deploying custom tools.
So, it provides some best practices for detecting and hardening that are all explained in detail.
Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
Build or acquire automation to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
Leverage user and entity behavior analytics to identify abnormal and potentially dangerous user and device behavior.
Apply and consult vendor-recommended guidance for security hardening.
Enhance IT and OT network segmentation and monitoring.
Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.
Understanding the context of LOTL activities is crucial for accurate detection and response. Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Further on, CISA urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.
Insecure software allows threat actors to leverage flaws to enable LOTL techniques and the responsibility should not solely be on the end user. By using secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
2023 was an explosive year for ransomware.
While some ransomware trends hardly changed over the last year, such as LockBit’s continued dominance, ransomware criminals also challenged our fundamental assumptions on how ransomware gangs work, such as by exploiting zero-day vulnerabilities. Through thec onsistenciess and evolutions over the last year, one fact remains clear: 2023 broke records with its total number of 4475 ransomware attacks, a 70% increase from 2022.
Global ransomware attacks by month, 2022 vs 2023
Global ransomware attacks, 2022 vs 2023
Additionally, LockBit was responsible for a 22% of all ransomware attacks in 2023, over half as much as the next top five gangs combined. Together, the top 10 ransomware gangs were responsible for 70% of all ransomware attacks.
Top 10 ransomware gangs in 2023
Breaking 2023 ransomware attacks by sector reveals that 23% of all attacks were directed against the Services sector. Together, the top 10 sectors accounted for 80% of all ransomware attacks.
Top 10 industries attacked 2023
The USA was by far the most attacked country in 2023, with a whopping 45% of all ransomware attacks targeting the country.
Top 10 countries attacked 2023
Additionally, we’ve sifted through the backlog of our 2023 ransomware reviews to find the most important stories and trends from the last year. Here are five key takeaways from the ransomware world in 2023.
1. LockBit was… LockBit
LockBit remained the most prolific ransomware gang throughout 2023, responsible for several high-profile attacks (such as against Taiwanese chipmaker TSMC). As well, LockBit also unveiled a new variant, LockBit Green, and showed signs of expanding into macOS territory.
Ransomware gangs, including Cl0p and ALPHV, aggressively exploited zero-day vulnerabilities (e.g., in GoAnywhere MFT, MOVEit Transfer, and Citrix appliances) to launch attacks on a unprecedented scale.
4. Big blows dealt to critical infrastructure
Critical infrastructure (as defined by CISA) took a beating in 2023, with sectors such as logistics, manufacturing, healthcare, and education accounting for almost 30% of all ransomware attacks in 2023. Education alone (a subsector of the Government Facilities sector) experienced a 70% surge in attacks in the past year, increasing from 129 incidents in 2022 to 265 in 2023.
2023 was a whirlwind year for ransomware: Attacks spiked by 70%, law enforcement landed key victories, gangs pivoted to exploiting zero-day vulnerabilities, and much more.
Going into 2024 it’s safe to say that the threat of ransomware looms large for all organizations—especially those with shrinking security budgets and overtaxed IT teams, organizations located in the US, critical infrastructure sectors like education.
Fighting off ransomware gangs requires a layered security strategy. Technologies such as Endpoint Protection (EP) and Vulnerability and Patch Management (VPM), for example, are vital first defenses to reduce the attack surface breach likelihood.
The key point, though, is to assume that motivated gangs will eventually breach any defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And for the ultimate assurance of uptime —choose an EDR solution with ransomware rollback to undo changes and restore files so that productivity continues.
How ThreatDown Addresses Ransomware
ThreatDown Bundles take a comprehensive approach to ransomware. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including:
Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
RDP Shield: Securing remote access points with Brute Force Protection.
For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams.
In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”.
This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.
Please read between the lines that there could be unsupported versions which will never see a patch for this vulnerability.
A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).
Customers can access the patch via the standard download portal (login required). The instructions are somewhat complicated, to say the least. Due to all the different versions that are available, it is imperative to carefully read the instructions.
Customers can read this KB article for detailed instructions on how to apply the mitigation and apply the patch as each version becomes available. Please ensure you are following the KB article to receive updates. If you have questions or require further support, please log a case and/or request a call in the Success Portal.
Important to note:
Customers who applied the patch released on January 31 or February 1, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
And once customers applied this newly released patch, they do not need to apply the mitigation or the patches released on January 31 and February 1.
The vulnerability
The vulnerability, listed as CVE-2024-22024 with a CVSS score of 8.3 out of 10, allows an attacker to access certain restricted resources without authentication.
An XML external entity injection (XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and/or to interact with any back-end or external systems that the application itself can access.
Ivanti found the XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways.
Since Ivanti claims that the vulnerability came up during internal code reviews, it is unlikely that an exploit already exists, but this type of vulnerability is usually easy to exploit, so chances are, this will not take long.
Although we have seen a pretty convincing claim that they did not find it themselves:
According to Ivanti they are unaware of any evidence of customers being exploited by CVE-2024-22024.
All in all, since January 10, five vulnerabilities have been reported in Ivanti products. And at least three of them are subject to active exploitation.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
The Federal Communications Commission (FCC) has announced that calls made with voices generated with the help of Artificial Intelligence (AI) will be considered “artificial” under the Telephone Consumer Protection Act (TCPA). Effective immediately, that makes robocalls that implement voice cloning technology and target consumers illegal.
Robocalls are automated phone calls, often associated with scams, which can be a nuisance to individuals and businesses alike. Some of these calls use AI generated voices of trusted celebrities to gain the trust of the target, in a technique known as voice cloning.
The unanimous ruling by the FCC provides state attorneys general across the country with new tools to go after the people behind these nefarious robocalls. Many of these calls would be considered illegal anyway because they are scams or fraudulent, but now the fact that they use AI generated voices alone is enough for them to be considered illegal.
The FCC says it received a letter signed by attorneys general from 26 states asking the agency to act on restricting the use of AI in marketing phone calls.
FCC Chairwoman Jessica Rosenworcel stated:
“Bad actors are using AI-generated voices in unsolicited robocalls to extort vulnerable family members, imitate celebrities, and misinform voters. We’re putting the fraudsters behind these robocalls on notice.”
From now on, those who wish to send robocalls must obtain prior express consent from the called party before making a call that utilizes artificial or prerecorded voice simulated or generated through AI technology.
Violations of the TCPA are subject to stiff civil penalties. Abusers can anticipate fines of up to $1,500 per incident without a cap on damages.
On January 30, 2024, the FCC said its previous actions against international robocalls appear to have reduced apparently illegal robocall traffic across multiple networks. If this new announcement leads to an even bigger reduction, you won’t hear us complaining.
What to do if you answer a robocall
When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.
Hang up as soon as you realize that it is an automated robocall.
Do not engage with the call at all.
Don’t follow any instructions.
Avoid giving away any personal information.
Report the robocall.
If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your recorded voice could allow for voice-cloning and used in scams against you or your loved ones.
We don’t just report on phone security—we provide it
If your IT and security teams think malware is bad, wait until they learn about everything else.
In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans.
In fact, some attacks have gone so “quiet” that they involve no malware at all. Last year, some ransomware gangs refrained from deploying ransomware in their own attacks, opting to steal sensitive data and then threaten to publish it online if their victims refused to pay up—a method of extracting a ransom that is entirely without ransomware.
Understandably, security teams are outflanked. Defending against sophisticated, multifaceted attacks takes resources, technologies, and human expertise. But not every organization has that at hand.
What, then, are IT-constrained businesses to do?
Today, on the Lock and Code podcast with host David Ruiz, we speak with Jason Haddix, the former Chief Information Security Officer at the videogame developer Ubisoft, about how he and his colleagues from other companies faced off against modern adversaries who, during a prolonged crime spree, plundered employee credentials from the dark web, subverted corporate 2FA protections, and leaned heavily on internal web access to steal sensitive documentation.
Haddix, who launched his own cybersecurity training and consulting firm Arcanum Information Security this year, said he learned so much during his time at Ubisoft that he and his peers in the industry coined a new, humorous term for attacks that abuse internet-connected platforms: “A browser and a dream.”
“When you first hear that, you’re like, ‘Okay, what could a browser give you inside of an organization?'”
But Haddix made it clear:
“On the internal LAN, you have knowledge bases like SharePoint, Confluence, MediaWiki. You have dev and project management sites like Trello, local Jira, local Redmine. You have source code managers, which are managed via websites—Git, GitHub, GitLab, Bitbucket, Subversion. You have repo management, build servers, dev platforms, configuration, management platforms, operations, front ends. These are all websites.”
Overwhelmed by modern cyberthreats? ThreatDown can help.
The 2024 ThreatDown State of Malware report is a comprehensive analysis of six pressing cyberthreats this year—including Big Game ransomware, Living Off The Land (LOTL) attacks, and malvertising—with strategies on how IT and security teams can protect against them.
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In January, we recorded a total of 261 ransomware victims, the lowest number of attacks since February 2023. This is normal, as past data reveals that historical January months tend to be one of the least active periods for ransomware gangs. But don’t let the relatively low number of attacks fool you: there was plenty of important ransomware news last month.
In January, researchers observed fake “security researchers” trying to trick ransomware victims into thinking that they can recover their stolen data. Described as “follow-on extortion” attacks, the goal of these scams is to get the victims to pay Bitcoin for supposed assistance.
The two examples we have of follow-on extortion attacks targeted victims of the Royal and Akira ransomware gangs, but it’s unclear if the fake security researchers are a part of either of those gangs. Our guess? It’s more likely that they are a fringe group simply seizing an opportunity to exploit victims already targeted by these gangs.
Let’s analyze why, using two scenarios, assuming that the follow-up extortioners really are Royal or Akira.
In scenario one, Royal or Akira steals data, prompting a ransom payment from the victim for data deletion. Then, Royal or Akira sends a splinter group to the same victim claiming Royal didn’t delete the data, offering deletion services for an additional fee. This scenario is pretty unlikely, as it undermines Royal’s credibility from the victim’s perspective, damaging the gang’s reputation.
In scenario two, Royal or Akira steals data, but the victim hasn’t paid for deletion yet. The Royal or Akira splinter group then offers to recover the data for a fee. This predicament forces the victim to choose who to trust, likely deciding that it might be more logical to rely on Royal since they have more incentive to maintain a semblance of reliability. So, it then just becomes a normal double-extortion case but with an unnecessary extra step.
In the first case, the “initial ransomware gang” has no leverage for a second round of extortion without contradicting their own claims and damaging their reputation. In the second case, the initial ransomware gang just does more work to get the same outcome, namely payment for data deletion.
Neither option presents a guaranteed connection to the original attackers.
Known ransomware attacks by gang, January 2024Known ransomware attacks by country, January 2024Known ransomware attacks by industry sector, January 2024
In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers. A simple example is an affiliate using generative AI to create more persuasive phishing emails. This could decrease affiliates’ dependence on Initial Access Brokers for accessing networks, leading to more attacks by individuals enticed by the lower initial investment.
In general, however, we should be cautious about these predictions. Incorporating AI into cybercrime—especially for automated discovery of vulnerabilities or efficient high-value data extraction, as NCSC’s report suggests—is extremely complex and costly. For major gangs like LockBit and CL0P, who manage multimillion-dollar operations, adopting these AI advancements might be more feasible, yet it is still far too early to speculate upon.
In our view, RaaS groups will maintain their current operations in the short term. AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs—based on access, leverage, and profit—will likely continue unchanged for the foreseeable future.
In other news, researchers last month witnessed Black Basta affiliates leveraging a new phishing campaign aimed at delivering a relatively new loader named PikaBot.
A typical distribution chain for PikaBot, writes ThreatDown Intelligence researcher Jérôme Segura, usually starts with an email (within an already-hijacked thread) containing a link to an external website. Users are then tricked to download a zip archive containing malicious JavaScript that downloads Pikabot from an external server.
As this news marks the first time that PikaBot has been publicly connected with any ransomware operations, it’s safe to assume that the malware is actively being used by other gangs as well—or that if it’s not, it will be soon.
New leak site: MYDATA
Mydata is a new leak site from Alpha ransomware, a distinct group not to be confused with ALPHV ransomware. The site published the data of 10 victims in January.
MYDATA leak data
Preventing Ransomware
Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough.
Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through.
Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood.
The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.
How ThreatDown Addresses Ransomware
ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:
Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
RDP Shield: Securing remote access points with Brute Force Protection.
For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
On February 9, 2024, the Justice Department announced that an international operation had seized internet domains that were selling information-stealing malware. Federal authorities in Boston seized www.warzone.ws and three related domains, which sold the Warzone RAT malware.
The Warzone RAT malware, a sophisticated Remote Access Trojan (RAT), enabled cybercriminals to browse victims’ file systems, take screenshots, record keystrokes, steal victims’ usernames and passwords, and watch victims through their web cameras, all without their knowledge or permission.
On February 7, 2024, two suspects were arrested in Malta and Nigeria, accused of selling the malware and supporting cybercriminals who used it for malicious purposes.
The operation was led by the FBI, and supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT).
Anyone who is a victim of a Warzone RAT computer intrusion is urged to report it to the FBI via its Warzone RAT Victim Reporting Form.
Signs of infection
There are some know Indicators of Compromise (IOCs) for recent versions of the Warzone RAT (aka AveMaria Stealer):
Malwarebytes and ThreatDown products will detect the Warzone RAT as:
Trojan.MalPack.PNG.Generic
Trojan.MalPack.MSIL.Generic
Generic.Malware.AI.DDS
Malware.AI.2990474738
Trojan.MalPack
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 4, 2024, in order to protect their devices against active threats. We urge other Roundcube Webmail users to take this seriously too.
Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple different devices, and it’s why when you read an email on your laptop it’s marked as “read” on your phone too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them situated in the US and China.
The affected versions are Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. An update to patch the vulnerability with version 1.6.3 has been available since September 15, 2023. The current version, 1.6.6 at the time of writing, does not have the vulnerability either.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:
CVE-2023-43770, which is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information.
XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. Persistent, or stored XSS, is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server.
This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.
In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to infiltrate company networks and pilfer sensitive data.
The modus operandi of these threat actors involves deceiving employees through sophisticated scams and deceptive online advertisements. Unsuspecting employees, misled by these tactics, may inadvertently invite these criminals into their systems. By convincing employees to download and run these seemingly benign RMM applications under the guise of fixing non-existent issues, these fraudsters gain unfettered access to the company’s network.
In this post, we explore a particular phishing scam targeting corporate users via the AnyDesk remote software and how ThreatDown can prevent the misuse of such programs by cybercriminals.
Phishing site hosts remote software
We believe victims are first targeted and then contacted via phishing emails or text messages (smishing) based on their position in the company.
Attackers could trick them by sending them to a typical phishing page or making them download malware, all of which are good options. However, they are instead playing the long game where they can interact with their victims.
Users are directed to newly registered websites that mimic their financial institution. In order to get support, they need to download remote desktop software disguised as a ‘live chat application’.
It’s interesting to note that the downloaded software is not malware. For example, in this instance they are using a legitimate (although outdated) AnyDesk executable which would not be detected as malicious by security products.
Running the program will show a code that you can give to the person trying to assist you. This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user.
Threat actors have registered phishing domains for different financial institutions, following the same style of the ‘Live chat on Windows’. It’s unclear whether it is all the same group or whether several criminal gangs are operating this scam. However, most of these domains are hosted on AS200593 which has a number of ‘traditional’ phishing sites.
Certain banking sites try to detect if a customer is currently running a remote program, before allowing them to login. However, not all banks have this feature and there are certain cases where threat actors can evade such detection.
There are a number of RMM tools on the market which scammers and criminals will leverage. Ironically, the more popular and simple ones also tend to be the most abused.
AnyDesk recently got in the news for a security breach that allowed the attackers to compromise their production systems. The vendor has since revoked its code signing certificates and is urging customers to update their software.
RMM vendors are aware of the illicit use of their software and regularly remind users about common safety tips. AnyDesk also partnered with fraud fighters such as ScammerPayback to shut down call centers.
Blocking RMM tools with ThreatDown
Free with every ThreatDown Bundle, Application Block can easily protect organizations against the rising trend of legitimate RMM tools being exploited. Organizations can block RMM tools via Application Block by:
Navigating to the ‘Monitor’ section within their Nebula console.
Selecting ‘Application Block’
Enabling the ‘Block RMM’ toggle switch provided by ThreatDown or customizing the list to fit their specific needs.
Saving the configuration to immediately block these RMM tools network-wide.
Adopt a robust defense stance by blocking all unnecessary applications, and for those you must use, the EDR/MDR layers of our ThreatDown Bundles will provide an additional safety net in the event of an infection.
For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.
Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.
In 2022, we published an article about how photographs of children taken by a stalkerware-type app were found exposed on the internet because of poor cybersecurity practices by the app vendor.
The stalkerware-type app involved, TheTruthSpy, has shown once again that the way in which it handles captured data shows no respect to its customers. And even less for the victims it’s monitoring.
TheTruthSpy markets itself as a tool that can be placed in the hands of employers who want to keep tabs on employees in the workplace, or in the hands of parents who want to look after their kids. But it can just as easily be placed in the hands of stalkers, abusive partners, or someone who just wants to get a leg up in their divorce proceedings.
Stalkerware-type applications like TheTruthSpy typically get installed secretly, by a person with access to the victim’s phone. For that reason, by design, the apps stay hidden from the device owner, while giving the attacker complete access.
Boasting “more than 15 spying features,” it can track a target’s location; reveal their browser history; record their calls; read their SMS messages; spy on their WhatsApp, Facebook, SnapChat and Viber messages; log what they type; and record what they say.
That alone is bad enough, but the app seems to have a persistent problem with security. In 2022, tech publication TechCrunch discovered that TheTruthSpy and other spyware apps share a common Insecure Direct Object Reference (IDOR) vulnerability, CVE-2022-0732. The publications described the bug as “extremely easy to exploit, and grants unfettered remote access to all of the data collected from a victim’s Android device.”
The bug was never fixed, and yesterday, stalkerware researcher maia arson crimew, revealed that it was stumbled upon again by two different hacking groups.
When members of the two hacking groups looked into TruthSpy last december while searching for stalkerware to hack, they independently stumbled upon the same IDOR vulnerability
The good news is that both groups, SiegedSec and ByteMeCrew, said in a Telegram post that they are not publicly releasing the breached data, given its highly sensitive nature. They provided enough data to enable TechCrunch to verify that it is authentic though, by matching IMEI numbers (numbers that uniquely identify phones) and advertising IDs against a list of previous known-to-be compromised devices.
Which means that by installing TheTruthSpy—and a whole fleet of clone apps including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy—you are not just spying on someone, you are also potentially exposing their data for anyone to find.
The data reportedly shows that TheTruthSpy continues to actively spy on large clusters of victims across Europe, India, Indonesia, the United States, the United Kingdom and elsewhere.
Sadly, this is no surprise. According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.
Removing stalkerware
If you want to know if your phone is or was infected with TheTruthSpy, you can use the lookup tool provided by TechCrunch, which has been updated to include information about the most recent leak.
Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.
Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.
Open Malwarebytes for Android.
Open the app’s dashboard
Tap Scannow
It may take a few minutes to scan your device.
If malware is detected you can act on it in the following ways:
Uninstall. The threat will be deleted from your device.
Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.
We don’t just report on phone security—we provide it
Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.
The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:
CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.
CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.
The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).
Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe has released security updates to address vulnerabilities in several products:
About a month ago, The PC Security Channel (TPSC) ran a test to check out the detection capabilities of Malwarebytes. They tested Malwarebytes by executing a repository of 2015 “malicious” files to see how many Malwarebytes would detect.
This YouTube video shows how a script executes the files and Malwarebytes blocks and immediately quarantines the majority of them.
Malwarebytes missed 34 out of those 2015 files, giving us a score of 98.31%. Many vendors would have been proud of that, but being who we are, we wanted to do better. So we asked whether we could have a look at the files we missed, and TPSC was kind enough to offer us that chance.
Two of the missed files were identified as PUPs. PUP is short for Potentially Unwanted Programs. The emphasis here is on Potentially because they live in the grey area of what people might consider to be acceptable. Some PUPs simply don’t meet our detection criteria.
Anyway, back to the review of the malicious files we missed. As you can see in the sheet below (click to expand), after a full review we were left with four malicious files that we missed and the two PUP-related files.
After circling back to TPSC, they graciously agreed with our assessment of the non-malicious files. That brings Malwarebytes’ score up to 99.8 % which is a lot closer to our usual performance in such tests. The four malicious files have all been added to our detections.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gang’s novel approach challenged a bottleneck that makes it hard to scale ransomware attacks, and other gangs may try to replicate its approach in 2024.
Big game ransomware attacks are devastating but relatively rare compared to other forms of cyberattack. There were about 4,500 known ransomware attacks in 2023, although the true figure is probably twice that. These attacks extorted more than $1 billion in ransoms in 2023, according to blockchain data platform Chainalysis.
The potential riches are enormous and there’s no other form of cybercrime that’s so lucrative, so why aren’t we seeing more attacks? It doesn’t seem to be a lack of targets, in fact the evidence suggests that the gangs are picky about who they attack. The most likely reason is that each attack takes a lot of work. Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations.
Doing all of this efficiently requires people, tools, infrastructure, expertise, and experience, and that seems to make it a difficult business model to scale up. The number of known ransomware attacks a year is increasing steadily, by tens of percentage points rather than exploding by thousands. This suggests that most of the people who are drawn to this life of crime are probably already doing it, and there isn’t a vast pool of untapped criminal talent waiting in the wings.
Known ransomware attacks, July 2022-December 2023
Before 2023, cybercrime’s best answer to this scalability problem was Ransomware-as-a-Service (RaaS), which splits the work between vendors that provide the malware and infrastructure, and affiliates that carry out the attacks.
CL0P found another way. It weaponised zero-day vulnerabilities in file transfer software, notably GoAnywhere MFT and MOVEit Transfer, and created automated attacks that plundered data from them. Hundreds of unsuspecting victims were attacked in a pair of short, sharp campaigns lasting a few days, leaving Cl0P as the third most active gang of the year, beating ransomware groups that were active in every month of 2023.
It remains to be seen if other gangs can or will follow CL0P’s lead. The repeated use of zero-days signaled a new level of sophistication for a ransomware gang and it may take a while for its rivals to catch up. However, the likes of LockBit—the most prolific group of them all—don’t want for resources so this is probably a matter of time and will, rather than a fundamental barrier.
There is also a question mark about how successful the attacks were. While automation allowed CL0P to increase its reach, it’s reported that a much lower percentage of victims paid a ransom than normal. However, ransomware incident response firm Coveware believes the group managed to compensate by demanding higher ransoms, earning the gang as much as $100 million.
Because of CL0P’s actions, the shape of ransomware in 2024 is in flux and organisations need to be ready. To learn more about how big game ransomware is evolving, the threat of zero-day ransomware, and how to protect against them, read our 2024 State of Malware report.
Personal data belonging to Facebook Marketplace users has been published online, according to BleepingComputer.
A cybercriminal was allegedly able to steal a partial database after hacking the systems of a Meta contractor.
The leak consists of around 200,000 records that contain names, phone numbers, email addresses, Facebook IDs, and Facebook profile information of the affected Facebook Marketplace users. BleepingComputer was able to verify the some of the data.
Marketplace was introduced by Facebook in 2016 and quickly became a popular platform to sell items to local buyers. It’s often preferred over other marketplaces because you can find or sell items locally that would be too expensive to ship, but you can easily pick up yourself.
Smaller businesses also use it as well to get their ecommerce side of the business started. Statistics say that every month, on average 40% of Facebook users are Marketplace users, and an estimated 485 million or 16% of active users log in to Facebook for the sole purpose of shopping on Facebook Marketplace.
Depending on the buyer of the leaked data, both the email addresses and the phone numbers could be used in phishing attacks. Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. The combination of email addresses and phone numbers could also be used in SIM swapping attacks.
SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM which is under the control of the attacker. Having control over or access to the victim’s email combined with the knowledge of the associated phone number makes a SIM swap relatively easy.
Protect yourself from a SIM card swap attack
Don’t reply to calls, emails, or text messages that request personal information. Should you get a request for your account or personal information, contact the company asking for it by using a phone number or website that you know is real.
Limit the personal information you share online.
Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
Use Multi-Factor Authentication (MFA), especially on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.
Digital Footprint scan
If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.
Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.
This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.
However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.
This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.
Fraudulent utility scam ads
The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.
We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.
In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.
The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.
The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.
Large scamming infrastructure
The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.
We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.
However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.
In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.
Keep your identity and money safe from scammers
This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.
Here are some additional tips:
Watch out for a sense of urgency. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
Never disclose personal details over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
Beware requests for money transfers or prepaid cards. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
Contact your bank immediately if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
Report the scam to the proper authorities, which may be the FTC.
Malwarebytes protection
Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.
As it turns out, there was another actively exploited vulnerability included in Microsoft’s patch Tuesday updates for February.
When Microsoft said in its update guide for CVE-2024-21410 that the vulnerability was likely to be exploited by attackers, they weren’t kidding. Soon after they changed the status to “Exploitation Detected”.
Today, I was alerted to the fact after spotting a warning by the German Federal Office for Information Security (BSI) about the same vulnerability, Something the BSI does not do lightly.
The Exchange vulnerability is listed in the Common Vulnerabilities and Exposures (CVE) database as CVE-2024-21410, an elevation of privilege vulnerability with a CVSS score of 9.8 out of 10.
Microsoft’s description of the vulnerability is a bit more revealing:
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”
In a Windows network, NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. An attacker being able to impersonate a legitimate user could prove to be catastrophic.
Microsoft Exchange Servers, and mail servers in general, are central communication nodes in every organization and as such they are attractive targets for cybercriminals. Being able to perform a pass-the-hash attack would provide an attacker with a paved way into the heart of the network.
As part of the update, Microsoft has enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14). Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).
If you are running Exchange Server 2019 CU13 or earlier and you have previously run the script that enables NTLM credentials Relay Protections then you are protected from this vulnerability. However, Microsoft strongly suggests installing the latest cumulative update.
Last year, Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23.
If you are unsure whether your organization has configured Extended Protection, you can use the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.
Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.
Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.
At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.
The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.
Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.
With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.
Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.
Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.
We don’t just report on phone security—we provide it
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
CISA (the Cybersecurity & Infrastructure Security Agency) has issued a cybersecurity advisory after the discovery of documents containing host and user information of a state government organization’s network environment—including metadata—on a dark web brokerage site.
An attacker managed to compromise network administrator credentials through the account of a former employee of the organization. The attacker managed to authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.
CISA suspects that the account details fell in the hands of the attacker through a data breach. This would not have posed a problem if the account had been disabled when the employee left. But the account still had access with administrative privileges to two virtualized servers including SharePoint and the workstation.
The incident responders’ logs revealed the attacker first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range.
On the SharePoint server, the attacker obtained global domain administrator credentials that were stored locally on the server. This account also provided the attacker with access to the on-premises Active Directory (AD) and Azure AD.
The attacker executed LDAP queries to collect user, host, and trust relationship information. The results of these queries are believed to have been among the information that was offered for sale.
Mitigation advice
When an employee leaves there may be several possible reasons not to immediately remove all their accounts. But you should at least remove their privileges as soon as possible and change the password.
The CISA advisory lists several points of advice about user accounts:
Review current administrator accounts and only maintain those that are essential for network management.
Restrict the use of multiple administrator accounts for one user.
Create separate administrator accounts for on-premises and Azure environments to segment access.
Implement the principle of least privilege and grant only access to what is necessary. It makes sense to revoke privileges after the task they were needed for is done.
Use phishing-resistant multifactor authentication (MFA). The only widely available phishing-resistant authentication is FIDO/WebAuthn authentication.
More general tips are:
Account and group policies: Set up a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
Awareness of your environment: Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
Patching procedures: If you do not have a Vulnerability and Patch Management solution, establish a routine patching cycle for all operating systems, applications, and software.
Monitoring and logging: It’s essential to keep an eye on what is happening in your environment so you are aware of atypical events and logs that can help you figure out what happened exactly.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
For the last two years the absolute worst, most prolific, most globally significant “big game” ransomware gang has been LockBit.
This evening its position as ransomware’s biggest beast is suddenly in doubt, following some non-consensual website redecoration at the hands of the UK’s National Crime Agency (NCA).
The LockBit data leak site has a new look
The LockBit dark web site usually hosts the names and data of organisations that refused to pay ransoms. That’s been replaced by a message from the NCA, saying:
This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.
Repleat with the flags and badges of the countries and agencies involved, the new look site promises there is more to come. “We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb.
Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world. In the last 12 months it has racked up more than two and half times as many known attacks as ALPHV, its closest rival.
Top 5 ransomware gangs by known attacks, February 2023 – January 2024
At this stage we have no idea how serious the damage to LockBit is, and law enforcement is only claiming that the group has been “disrupted”. However, even if that disruption isn’t fatal, it will doubtless raise serious questions among LockBit’s criminal associates.
LockBit sells ransomware-as-a-service (RaaS) to “affiliates”, criminal gangs who use the service to carry out ransomware attacks. Even if LockBit can rebuild its infrastructure elsewhere those affiliates now have every reason to question its credibility.
The takedown comes just two months after LockBit’s biggest rival, ALPHV, also suffered a serious mauling at the hands of international law enforcement, before staggering back to its feet.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
You can learn more about the threat of big game ransomware like LockBit and ALPHV in our 2024 State of Malware report.
A Ukrainian national, Mark Sokolovsky, has been indicted for crimes related to fraud, money laundering and aggravated identity theft and extradited to the United States from the Netherlands, the US Attorney’s Office of the Western District of Texas has announced.
In March 2022, around the same time of Sokolovsky’s arrest by Dutch authorities, the FBI and law enforcement partners in Italy and the Netherlands dismantled the digital infrastructure supporting the Raccoon Infostealer, taking its then existing version offline.
On September 13, 2022, the Amsterdam District Court ordered Sokolovsky’s extradition to Texas, where many of his victims were located. After the Sokolovsky’s appeal was dismissed in June of 2023, the extradition could take place.
Sokolovsky is suspected of operating the Raccoon Infostealer as a malware-as-a-service (MaaS). This means criminals intent on stealing information could “hire” the malware and the infrastructure to steal data from victim computers.
For this reason Sokolovsky is charged with one count of conspiracy to commit fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft. He made his initial court appearance February 9, and is being held in custody pending trial. If convicted, he will be sentenced to a maximum of 20 years for wire fraud and money laundering, five years for computer fraud charges, and a mandatory two-year term for identity theft offenses.
The Raccoon Infostealer operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly where the leak originated.
Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.
The main targets of the stealer are credit card data, autofill entries, browser passwords, and cryptocurrency wallets.
The FBI identified at least 50 million unique credentials stolen by Raccoon Infostealer from victims worldwide. Because of this, the agency has created a dedicated website, raccoon.ic3.gov, where potential victims can check if their data has been stolen. All they need to do is to enter their email address. Note, however, that the website only contains data for US-based victims.
The FBI also encourages potential victims to fill out a detailed complaint and share the harm the malware caused them at the FBI’s Crime Complaint Center (IC3).
Digital Footprint scan
If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
On the internet, people need to worry about more than just opening suspicious email attachments or entering their sensitive information into harmful websites—they also need to worry about their Google searches.
That’s because last year, as revealed in our 2024 ThreatDown State of Malware report, cybercriminals flocked to a malware delivery method that doesn’t require they know a victim’s email address, login credentials, personal information, or, anything, really.
Instead, cybercriminals just need to fool someone into clicking on a search result that looks remarkably legitimate.
This is the work of “malicious advertising,” or “malvertising,” for short. Malvertising is not malware itself. Instead, it’s a sneaky process of placing malware, viruses, or other cyber infections on a person’s computer, tablet, or smart phone. The malware that eventually slips onto a person’s device comes in many varieties, but cybercriminals tend to favor malware that can steal a person’s login credentials and information. With this newly stolen information, cybercriminals can then pry into sensitive online accounts that belong to the victim.
But before any of that digital theft can occur, cybercriminals must first ensnare a victim, and they do this by abusing the digital ad infrastructure underpinning Google search results.
Think about searching on Google for “running shoes”—you’ll likely see ads for Nike and Adidas. A Google search for “best carry-on luggage” will invariably produce ads for the consumer brands Monos and Away. And a Google search for a brand like Amazon will show, as expected, ads for Amazon.
But cybercriminals know this, and in response, they’ve created ads that look legitimate, but instead direct victims to malicious websites that carry malware. The websites themselves, too, bear a striking resemblance to whatever product or brand they’re imitating, so as to maintain a charade of legitimacy. From these websites, users download what they think is a valid piece of software, instead downloading malware that leaves them open to further attacks.
A malicious ad for the KeePass password manager appears as a legitimate ad.The real KeePass website (left) side-by-side with a malvertising site (right).
It’s true that malvertising is often understood as a risk to businesses, but the copycat websites that are created by cybercriminals can and often do impersonate popular brands for everyday users, too.
As revealed in our 2024 ThreatDown State of Malware report, the five most impersonated brands for malvertising last year included:
Amazon
Rufus
Weebly
NotePad++
TradingView
These five brands may not all carry the same familiarity, but their products and services capture a broad swath of user interest, from Weebly’s website creation products, to TradingView’s investment trading platform, to Rufus’s niche-but-useful portable OS booting tool.
Why the increase in malvertising last year?
If Google ads have been around for more than a decade, why are they only being abused by cybercriminals now? The truth is, malvertising has been around for years, but a particular resurgence was recorded more recently.
In 2022, cybercriminals lost access to one of their favorite methods of delivering malware.
That summer, Microsoft announced that it would finally block “macros” that were embedded into files that were downloaded from the internet. Macros are essentially instructions that users can program so that multiple tasks can be bundled together. The danger, though, is that cybercriminals would pre-program macros within certain files for Microsoft Word, Excel, or PowerPoint, and then send those files as malicious email attachments. Once those attachments were downloaded and opened by users, the embedded macros would trigger a set of instructions directing a person’s computer to install malware from a dangerous website online.
Macros were a scourge for cybersecurity for years, as they were effective and easy to deliver.
But when Microsoft restricted macro capabilities in 2022, cybercriminals needed to find another malware delivery channel. They focused on malvertising.
Today’s malvertising is increasingly sophisticated, as cybercriminals can create and purchase online ads that target specific types of users based on location and demographics. Concerningly, modern malvertising can even avoid basic fraud detection as cybercriminals can create websites that determine whether a user is a real person or simply a bot that is trawling the web to find and flag malicious activity.
How to protect against malvertising
The threat of malvertising is multi-layered: There are the fraudulent ads that cybercriminals place on Google search results, the malicious websites that imitate legitimate brands and companies to convince users to download malware, and the malware infection itself.
As such, any successful defense strategy must be multi-layered.
For safe browsing, people can rely on Malwarebytes Browser Guard, a browser extension that blocks third-party tracking and flags malicious websites known to be in the control of cybercriminals. As we wrote before:
“Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers. Thanks to its built-in heuristic engine it can also proactively block never-before-seen malicious websites.”
The problem with malvertising, though, is that new malicious websites are created every single day. Cybersecurity defenders, then, are often caught in a game of catch-up.
Here, users can find safety from Malwarebytes Premium, which provides real-time protection to detect and stop any cyberthreats that get installed onto a device, even if those threats are masquerading as legitimate apps or software.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
As far as home cameras go, we said this is absolutely up there at the top of the “things you don’t want to happen” list. Turning your customers into Peeping Tom against their will and exposing other customers’ footage is definitely not OK.
It’s not OK, but yet here we are again. On February 17, TheVerge reported that history had repeated itself. Wyze co-founder David Crosby confirmed that users were able to briefly see into a stranger’s property because they were shown an image from someone else’s camera.
Crosby told The Verge:
“We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab.”
So, it’s not a full feed and just a thumbnail, you might think. Is that such a big deal? Well, it was a bit more than that. Users got notification alerts for events in their house. I don’t know how you feel when you get one of those while you know there shouldn’t be anyone there, but it’s enough to make me nervous.
Imagine your surprise when you then see someone else’s house as the cause for that notification.
Wyze blames the issue on overload and corruption of user data after an AWS outage. However, AWS did not report an outage during the time Wyze cameras were having these problems.
And, while the company originally said it had identified 14 instances of the security issue, the number of complaints on Reddit and the Wyze forums indicated that there must have been a lot more.
This turned out to be the case. In an email sent to customers, Wyze revealed that it was actually around 13,000 people who got an unauthorized peek at thumbnails from other people’s homes.
Wyze chalks up the incident to a recently-integrated third-party caching client library which caused the issue when they brought back cameras online after an outage at AWS.
“This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”
Wyze says it has added an extra layer of verification before users can view Event videos.
So, all we can do is hope we don’t have to write another story like this one in a few months.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
In an act of exquisite trolling, the UK’s National Crime Agency (NCA) has announced further details about its disruption of the LockBit ransomware group by using the group’s own dark web website.
The LockBit dark web site has a new look
Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world. In the last 12 months it has racked up more than two and half times as many known attacks as its closest rival. That all stopped yesterday, though, when the LockBit site was replaced with a banner decorated with the flags and badges of the countries and agencies that cooperated to “disrupt” it. The banner read:
This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.
It also promised more information would be revealed today at 11:30 GMT. It didn’t disappoint. There was a press release, of course, and a video:
The NCA reveals details of an international disruption campaign targeting the world’s most harmful cyber crime group, Lockbit.
Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com/m00VFWkR9Z
But the real treat was an updated version of the LockBit website that returned it to something resembling its former self. However, some crucial details had changed. Until yesterday, the secret dark web site was used to list details of the organizations being held to ransom by LockBit. Green squares represented companies whose data had been leaked. Timers on the red squares showed companies under threat of a leak just how long they had until their stolen data would be published.
Not any more, though.
In a graphic illustration of just how comprehensively the LockBit group has been compromised, the green squares now detail published information about the takedown, while red squares tease further reveals for the coming days.
Today, after infiltrating the group’s network, the NCA has taken control of LockBit’s services, compromising their entire criminal enterprise.
As well as taking over the leak site, law enforcement agencies have taken over LockBit’s administration environment, seized the infrastructure used by LockBit’s data exfiltration tool, Stealbit, captured over 1,000 decryption keys, and frozen 200 cryptocurrency accounts.
A screenshot from LockBit’s admin panel
The group’s source code has also fallen into the hands of law enforcement, along with “a vast amount of intelligence” from its systems. Criminal affiliates who logged into the compromised environment were warned that the NCA knows all about their activities too, and the NCA reports that 28 servers belonging to LockBit affiliates have been taken down, too.
Two “LockBit actors” have been arrested in Poland and Ukraine, and the US Department of Justice has announced that two defendants responsible for using LockBit in ransomware attacks have been charged, are in custody, and will face trial in the US. It also unsealed indictments against two Russian nationals, for conspiring to commit LockBit attacks.
There are numerous reveals promised for the next few days, but the most tantalising is the imminent uncloaking of LockBit’s leader and spokesperson, LockBitSupp.
The identity of Lockbitsupp won’t be a mystery for much longer
The NCA could have put the information about the takedown anywhere, but it didn’t; it did something memorable, humorous, and deliberately humiliating with it. In other words, it mimicked perfectly the way that ransomware gangs troll the world and each other. In doing so, the NCA signaled that it knows all about LockBit and the broader community of criminals it belongs to. It knows that LockBit’s affiliates and rivals will be watching, and looking over their shoulder.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
You can learn more about the threat of big game ransomware like LockBit and ALPHV in our 2024 State of Malware report.
Navigating the complex world of alerts just got easier, thanks to our latest enhancements to the ThreatDown Endpoint Detection and Response (EDR) platform.
The detailed technical information in EDR alerts—replete with complicated diagrams and references to advanced cybersecurity tactics—can overwhelm even seasoned professionals, let alone those with less experience. With our latest update, however, we’ve tackled this challenge head on.
Let’s dive further into how our new Incident Summary and Timeline updates make the investigation process more straightforward and accessible.
Incident Summary and Timeline updates
ThreatDown EDR’s enhancements include two key features: an incident summary that cuts through the jargon and an interactive timeline for a clearer understanding of each alert.
The incident summary translates the complex strategies and objectives of cyber threats in straightforward terms. For example, it may indicate the threat actor was “disabling security software” or “collecting credentials”— instead of using technical MITRE ATT&CK terminology that requires extra research.
With this new, high-level narrative, analysts and customers have a framework to understand what potentially sensitive behaviors triggered an alert without delving into specific process names or registry keys. It can help quickly differentiate suspected malicious incidents from false positives and focus resources appropriately.
The interactive timeline adds another layer of clarity, presenting a chronological sequence of events related to the alert, each marked with a timestamp and color-coded based on severity. Additional details, such as the processes involved and user accounts, are available with a simple click.
Users can also scroll through to spot patterns and grasp the incident’s narrative in a unified view, avoiding the complexity of connecting disparate alerts.
While technical details remain available below for more in-depth information, the new summary and timeline features can help users quickly kick off an investigation or close benign alerts.
The best of both worlds for ThreatDown users
By merging simplified language with user-friendly features, ThreatDown EDR’s latest updates reduce the time analysts and customers need to understand alerts—ultimately accelerating the detection and resolution of real threats.
Data from a Chinese cybersecurity vendor that works for the Chinese government has exposed a range of hacking tools and services. Although the source is not entirely clear, it seems that a disgruntled staff member of the group leaked the information on purpose.
The vendor, i-Soon (aka Anxun) is believed to be a private contractor that operates as an Advanced Persistent Threat (APT)-for-hire, servicing China’s Ministry of Public Security (MPS).
The leaked data is organized in a few groups, such as complaints about the company, chat records, financial information, products, employee information, and details about foreign infiltration. According to the leaked data, i-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.
Some of the tools that i-Soon used are impressive enough. Some highlights:
Twitter (now X) stealer: Features include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf.
Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.
The iOS version of the RAT also claims to authorize and support all iOS device versions without jailbreaking, with features ranging from hardware information, GPS data, contacts, media files, and real-time audio records as an extension. (Note: this part dates back to 2020)
The Android version can dump messages from all popular Chinese chatting apps QQ, WeChat, Telegram, and MoMo and is capable of elevating the system app for persistence against internal recovery.
Portable devices for attacking networks from the inside.
Special equipment for operatives working abroad to establish safe communication.
User lookup database which lists user data including phone number, name, and email, and can be correlated with social media accounts.
While some of the information is dated, the leaked data provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.
It will certainly rattle some cages at the infiltrated entities and as such it could possibly cause a shift in international diplomacy and expose the holes in the national security of several countries.
Not all of the material has been examined yet. There is a lot available and translating is not an easy task. But we will keep you posted if anything else of interest shows up.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
I know that some of you are expecting a post similar to that about a toothbrush botnet, but this is not a hypothetical case. It actually happened.
A Malwarebytes Premium customer started a thread on Reddit saying we had blocked malware from trying to infect their computer after they connected a vibrator to a USB port in order to charge the device.
The vibrator, Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, was infected with an information stealer known as Lumma.
Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it through infected USB drives, as is the case here.
The question that remains is, how did the vibrator get infected? The victim bought the vibrator at Spencer’s, so we reached out to the company in an attempt to get to the bottom of this.
Spencer’s acknowledged that it was aware of the problem, but the team investigating the issue was unable to provide further information at this point. We’ll keep you updated if we receive word from them or find out any more information ourselves.
Update February 28, 2024
A spokesperson for Spirit Halloween/Spencer’s reached out asking us to add their official statement:
“We are aware of the issue raised regarding one of our intimate products and can confirm that it is unable to transmit data, as there is no physical connection from the PC board circuitry to the USB data pins.“
This definitely makes sense for a device that is not capable of reprogramming by the user. It basically means the device does not need to be connected with a USB condom.
Our advice when it comes to USB devices, including rechargeable vibrators:
Don’t connect the USB to your computer for charging. If you use a good old-fashioned AC plug socket then no data transfer can take place while you charge.
If you still want the option to connect via USB, USB condoms or “juice-jack defenders” as they are sometimes called will prevent accidental data exchange when your device is plugged into another device with a USB cable.
Treat untrusted devices like you would the “lost USB stick” in the parking lot. You know you shouldn’t connect those to your computer, right?
Always use security software. In this case, the customer was protected by Malwarebytes Premium. If they weren’t using security software, their personal information might have ended up in the hands of cybercriminals.
Technical details
The customer was kind enough to provide us with the content of the flash drive. On it were a host of XML files and a Microsoft Software Installer file (Mia_Khalifa 18+.msi).
The XML files all look very similar to the above and seem to be designed to functions as an XML bomb. An XML bomb is an exponential entity expansion attack, similar to a ZIP bomb, that is designed to crash the web application. This is likely used to draw the attention of the victim away from the actual malware.
The installer creates a program entry called Outweep Dynes.
The Outweep Dynes “program” is yet another installer dropped in %USERPROFILE%\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe
To hinder reverse engineering, extraction of the executable is password protected. But with the password hardcoded in the file, that was not a problem.
The file then executes a heavily obfuscated portable executable detected by Malwarebytes as Trojan.Crypt.MSIL which is Malwarebytes’ generic detection name for a type of obfuscated Trojan programmed in Microsoft Intermediate Language (MSIL).
The dropped executable is a combination of the Lumma Stealer and an additional .NET dll library.
Malwarebytes ThreatDown customers enjoy protection by Advanced Device Control. When a USB device is connected, ThreatDown now doesn’t just control access—it actively scans it. You can also now choose to block the device until the system scans it. This means threats are stopped in their tracks, well before they can do any harm.
Chat app Signal will shield user’s phone numbers by default from now on. And, it will no longer be necessary to exchange phone numbers when people want to connect through the app.
In November, we reported that Signal was testing usernames to eliminate the need to share your phone number. Signal has now announced that these options are live, and will be rolled out to everyone in the coming weeks.
So, what exactly has changed?
Your phone number will no longer be visible to everyone you chat with by default. People who already have your number saved in their phone’s contacts will still see it.
In case you don’t want to hand out your phone number to connect with someone on Signal, you can now create a unique username that you can use instead.
If you don’t want people to be able to find you by searching for your phone number on Signal, you can now enable a new, optional privacy setting.
Note that the unique username is not your profile name which is displayed in chats, it’s not a permanent handle, and not even visible to the people you’re connected with in Signal.
The optional privacy setting will only allow people that have your exact unique username to start a conversation, even if they have your phone number.
During the transition, it is important to realize that both you and the people you are chatting with on Signal will need to be using the updated version of the app to take advantage of them.
The changes are optional. You are not required to create a username and you have full control over whether you want to enable people to find you by your phone number or not.
If you’d still like everyone to see your phone number when messaging them, you can change the default by going to Settings > Privacy > Phone Number > Who can see my number. You can either choose to have your phone number visible to Everyone you message on Signal or Nobody. If you select Nobody, the only people who will see your phone number in Signal are people who already have it saved to their phone’s contacts.
How to create a username on Signal
To create a username, go to Settings > Profile. A username on Signal (unlike a profile name) must be unique and must have two or more numbers at the end of it. This choice was made with the intention to help keep usernames egalitarian and minimize spoofing. Usernames can be changed as often as you like, and you can delete your username entirely if you prefer to no longer have one.
You will still have to have a phone number in order to create a Signal account as they act as a unique identification and anti-spam measure.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
One of the most alarming trends our ThreatDown Intelligence team has noticed lately is the increased exploitation of legitimate Remote Monitoring and Management (RMM) tools by ransomware gangs in their attacks.
RMM software, such as AnyDesk, Atera, and Splashtop, are essential for IT administrators to remotely access and manage devices within their networks. Unfortunately, ransomware gangs can also exploit these tools to penetrate company networks and exfiltrate data, effectively allowing them to “live off the land”.
In this post, we will delve into how ransomware gangs use RMM tools, identify the most exploited RMM tools, and discuss how to detect and prevent suspicious RMM tool activity using Application Block and Endpoint Detection and Response (EDR).
How ransomware gangs utilize RMM tools
Ransomware gangs exploit Remote Monitoring and Management (RMM) tools through one of three main strategies:
Gaining initial access via preexisting RMM tools: As RMM tools typically require credentials for system access, attackers can exploit weak or default RMM credentials and vulnerabilities to gain unauthorized access to a network.
Installing RMM tools post-infection: Once inside a network, ransomware attackers can install their own RMM tools to maintain access and control, setting the stage for a ransomware attack. For example, the ThreatDown Intelligence team noted a case where ransomware attackers exploited an unpatched VMWare Horizon server to install Atera.
Hybrid approach: Attackers can use a slew of different social engineering scams, such as technical support scams or malvertising, to trick employees into installing RMM tools onto their own machines, enabling both initial access and a mechanism for ransomware deployment. The Barclays banking scam we wrote about in February 2024 is an example of this approach.
Top RMM tools exploited by ransomware gangs
The following RMM tools are commonly used by both ransomware gangs to oversee and control IT infrastructure remotely.
Splashtop: A remote access and support solution tailored for businesses, MSPs, and educational institutions. Exploited by the ransomware gangs CACTUS, BianLian, ALPHV, Lockbit.
Atera: An integrated RMM tool for MSPs that offers remote access, monitoring, and management. Exploited by Royal, BianLian, ALPHV.
TeamViewer: A software for remote access and support. Exploited by BianLian.
ConnectWise: A suite that includes solutions for remote support, management, and monitoring. Exploited by Medusa.
LogMeIn: Provides secure remote access to computers from any location for IT management and support. Exploited by Royal.
SuperOps: An MSP platform that combines RMM, PSA, and other IT management features. Exploited by CACTUS.
Preventing RMM ransomware attacks with Application Block and EDR
To prevent ransomware gangs from misusing RMM tools, businesses can adopt two strategies: blocking unnecessary RMM tools using application blocking software and utilizing EDR to detect suspicious RMM tool activity.
For instance, by employing applications like ThreatDown’s Application Block, businesses can prevent the use of non-essential RMM applications.
For necessary tools, such as AnyDesk, the EDR/MDR layers within ThreatDown Bundles can offer an additional layer of protection in case of an infection.
Consider a real example where ransomware attackers used AnyDesk to establish a Command and Control (C&C) server. In one case, a threat actor infiltrated a customers environment by exploiting an unpatched server with open ports exposed to the internet. AnyDesk was installed by the threat actor afterward, as indicated in the EDR alert below. Such activity is typical of what our Threat Intel teams observe just before the widespread encryption carried out in ransomware attacks.
EDR detecting malicious RMM tool usage, with relevant MITRE techniques
After investigating the alert, however, a customer can quickly isolate the affected endpoint to prevent encryption. Alternatively, the ThreatDown MDR service can identify the alert and offer guidance on remediation.
Stop ransomware RMM attacks today
Much like other Living Off the Land tools designed to facilitate IT administration, RMM tools are now double-edged swords.
Whether using RMM tools for initial access, post-infection ransomware deployment, or a combination of the two, ransomware attackers are upping the sophistication of their attacks. However, with ThreatDown, organizations can effectively curtail the abuse of RMM tools through technologies like Application Block and EDR.
Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.
ConnectWise is warning self-hosted and on-premise customers that they need to take immediate action to remediate a critical vulnerability in its ScreenConnect remote desktop software. This software is typically used in data-centers and for remote assistance. Together ConnectWise’s partners manage millions of endpoints (clients).
A Shadowserver scan revealed approximately 3,800 vulnerable ConnectWise ScreenConnect instances on Wednesday, most of them in the US.
~3800 vulnerable ConnectWise ScreenConnect instances (authentication bypass using an alternate path or channel (CVSS 10) & path traversal (CVSS 8.4)) https://t.co/tPi9ALNVab
The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. ConnectWise has shared three IP addresses that were recently used by threat actors:
155.133.5.15
155.133.5.14
118.69.65.60
These IP addresses are all blocked by ThreatDown and Malwarebytes solutions.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The flaw added to the CISA Catalog is CVE-2024-1709, an authentication bypass vulnerability with a CVSS score of 10 that could allow an attacker administrative access to a compromised instance. With administrative access it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE).
Affected versions are ScreenConnect 23.9.7 and prior. Cloud partners don’t need to take any actions. ScreenConnect servers hosted in on screenconnect.com and hostedrmm.com have been updated to remediate the issue.
Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommends that partners update to ScreenConnect version 23.9.8.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
On February 20, Joomla! posted details about four vulnerabilities it had fixed in its Content Management System (CMS), and one in the Joomla! Framework that affects the CMS.
Joomla! is an open-source CMS that’s been around since 2005, and has been one of the most popular CMS platforms by market share for much of that time. Many companies, from small outfits to large enterprises, use a CMS in some form to manage their websites. There are lots of advantages to using a popular CMS, but if you do you should keep an eye out for updates. And this looks like an important one.
Just last month, a vulnerability patched in February 2023 was added to CISA’s catalog of known exploited vulnerabilities, suggesting a lack of patching urgency by some Joomla! owners. Let’s see if we can avoid duplicating that scenario.
To make this happen, Joomla! CMS users should upgrade to version 3.10.15-elts, 4.4.3 or 5.0.3. The latest releases that include the fixes are available for download. Links can be found on the release news page. The latest versions can always be found on the latest release tab. The extended long term support (elts) versions can be found on the dedicated elts site.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We’ll list them below, but the descriptions of the vulnerabilities require some explaining.
CVE-2024-21722: The multi-factor authentication (MFA) management features did not properly terminate existing user sessions when a user’s MFA methods have been modified. This suggest that logged-in users could stay logged in if an administrator changed their MFA method. This is a problem if you are changing the MFA method because you suspect there has been unauthorized access.
CVE-2024-21723: Inadequate parsing of URLs could result into an open redirect. An open redirect vulnerability occurs when an application allows a user to control how an HTTP redirect behaves. Phishers love open redirects on legitimate sites because the URLs look like they go to the legitimate site, when in fact they redirect to another site.
CVE-2024-21724: Inadequate input validation for media selection fields lead to Cross-site scripting (XSS) vulnerabilities in various extensions. XSS is a type of vulnerability that allows an attacker to inject malicious code into a site’s content. Input validation should stop that injection.
CVE-2024-21725: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components. According to Joomla! this is the vulnerability with the highest exploitation probability. A website user could input data in the email address field that would cause a XSS vulnerability because it was not properly escaped. Email addresses need to be escaped because otherwise they could be interpreted as HTML code.
CVE-2024-21726: Inadequate content filtering leads to XSS vulnerabilities in various components. This is the vulnerability in the Joomla! Framework. Apparently there has been an oversight in the filtering code which can cause XSS vulnerabilities in several components. Researchers found that attackers can exploit this issue to gain remote code execution by tricking an administrator into clicking on a malicious link.
These researchers also urged users to update their CMS:
“”While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk.”
Secure your CMS
There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. They are as follows:
Choose a CMS from an organization that actively looks for and fixes security vulnerabilities.
If it has a mailing list for informing users about patches, join it.
Enable automatic updates if the CMS supports them.
Use the fewest number of plugins you can, and do your due diligence on the ones you use.
Keep track of the changes made to your site and its source code.
Secure accounts with two-factor authentication (2FA).
Give users the minimum access rights they need to do their job.
Limit file uploads to exclude code and executable files, and monitor them closely.
Use a Web Application Firewall (WAF).
If your CMS is hosted on your own servers, be aware of the dangers that this setup brings and keep it separated from other parts of your network.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.
In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.
Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a photo of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to watch porn online in the US state of Louisiana? It’s a niche example, but because of a law passed in 2022, you will likely need to submit, again, a photo of your state driver’s license to a separate ID verification mobile app that then connects with porn sites to authorize your request.
The discrepancies in these end-uses are stark; cryptocurrency and porn don’t have too much in common with Red Bull vodkas and, to pick just one example, a Guatemalan coup. But there’s something else happening here that reveals the subtle differences between yesteryear’s fake IDs and today’s, which is that modern ID verification doesn’t need a physical ID card or passport to work—it can sometimes function only with an image.
Last month, the technology reporting outfit 404 Media investigated an online service called OnlyFake that claimed to use artificial intelligence to pump out images of fake IDs. By filling out some bogus personal information, like a made-up birthdate, height, and weight, OnlyFake would provide convincing images of real forms of ID, be they driver’s licenses in California or passports from the US, the UK, Mexico, Canada, Japan, and more. Those images, in turn, could then be used to fraudulently pass identification checks on certain websites.
When 404 Media co-founder and reporter Joseph Cox learned about OnlyFake, he tested whether an image of a fake passport he generated could be used to authenticate his identity with an online cryptocurrency exchange.
In short, it did.
By creating a fraudulent British passport through OnlyFake, Joseph Cox—or as his fake ID said, “David Creeks”—managed to verify his false identity when creating an account with the cryptocurrency market OKX.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Cox about the believability of his fake IDs, the AI claims and limitations of OnlyFake, what’s in store for the future of the site— which went dark after Cox’s report—and what other types of fraud are now dangerously within reach for countless threat actors.
Making fake IDs, even photos of fake IDs, is a very particular skill set—it’s like a trade in the criminal underground. You don’t need that anymore.
The German Federal Office for Information Security (BSI) has published a report on The State of IT Security in Germany in 2023, and the number one threat for consumers is… identity theft.
The thing is, you can protect your devices and your online privacy as much as possible, but what happens when some organization which you have trusted with your personal information gets breached?
The report states:
“For consumers, the issue of data leaks was prominent in the reporting period (2023). In many cases, these were related to ransomware attacks, in which cybercriminals exfiltrated large amounts of data from organizations in order to later threaten to publish it unless a ransom or hush money was paid.“
In addition to data breaches, there is the danger of information stealers that allow cybercriminals to obtain various types of personal data, such as login details for various online services, and financial information. The stolen data may also include website cookies and biometric data that can be used by criminals to defraud the victim.
Cybercriminals are also getting better at using these data. For example, the report mentions that on one of the largest underground marketplaces for identity data, cybercriminals offered interested parties a browser plug-in that made it possible to import stolen credentials directly into the web browser, allowing criminals to assume the victim’s digital identity with just a few clicks.
We’ve previously talked about the dangers of data brokers that, by trading and buying, are accumulating massive troves of personal data. Now, with the mass availability of Artificial Intelligence tools, it becomes so much easier to correlate all these data sets and piece together a complete profile of everyone affected.
As you can see, it’s usually not the victim’s fault that their data become available to cybercriminals. In many cases, there isn’t even that much that they could have done about it. Some services simply are not available in the offline world anymore, and we have no choice than to trust an organization with our information.
So, all we can do is make sure we come prepared to act when a data breach affects us, and keep an eye on how much we share and how much others will be able to find out about us.
What to do in the event of a data breach
Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Set up identity monitoring.Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Digital Footprint scan
If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.
These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.
While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.
What are Android banking trojans?
The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.
By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.
But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.
Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.
These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.
The introduction screen when opening “RecoverFiles” and the follow-on permissions it asks from users. Once installed, it is invisible on the device home screen.
Still, the tricks behind “RecoverFiles” aren’t yet over.
Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.
But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.
Slipping under the radar
The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.
The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.
What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.
These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.
What does it all mean for me?
There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.
All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.
As we wrote in the 2024 ThreatDown State of Malware report:
“Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”
Staying safe from Android banking trojans
Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.
Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
“identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”
Change Healthcare is one of the largest healthcare technology companies in the United States. Its subsidiary, Optum Solutions, operates the Change Healthcare platform. This platform is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.
The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.
According to Reuters, the group behind the attack is the ALPHV/BlackCat ransomware group. ALPHV is currently one of the most active groups, and generally associated with Russia. They are certainly no strangers to attacking healthcare providers. In our monthly ransomware reviews you will typically find them in the top five of ransomware groups. Even after a disruption in December 2023 they returned and maintained a high level of activity.
BleepingComputer confirmed Reuters assertion, saying it had received information from forensic experts involved in the incident response that linked the attack to the ALPHV ransomware gang.
It would certainly make more sense to us that the attacker was a ransomware group than a nation-state associated group, but both ALPHV and UnitedHealth have not commented on this. That’s no surprise since the investigation is probably still ongoing and solving the security issue is a higher priority.
What the ramifications of any stolen data are, remains to be seen, but they could be very serious given the size of the company and the nationwide application of their electronic health record (EHR) systems, payment processing, care coordination, and data analytics.
In a February 26 update the company says it took immediate action to disconnect Change Healthcare’s systems in order to prevent further impact. You can follow updates about the issue on the dedicated incident report site.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.
Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, followed by WinSCP, Advanced IP Scanner, Slack and Notion.
Threat actors are targeting business users with payloads such as FakeBat, Nitrogen or Hijackloader. One other malware family we have seen here and there is Rhadamanthys. In this blog post, we detail the latest distribution chain related to this malware.
Key points
Rhadamanthys is an infostealer distributed via malspam and malvertising.
Google searches for popular software such as Notion return malicious ads.
Threat actors are using decoy websites to trick users into downloading malware.
The initial payload is a dropper that retrieves Rhadamanthys via a URL pasted online.
The TexBin paste site shows the URL was seen/accessed 8.5K times.
Malicious ad
Threat actors continue to impersonate well-known brands via sponsored search results. As can be seen below in a search for Notion (productivity software), an extremely deceiving ad is shown. Because it includes the official logo and website for Notion, most users will not think twice and click on the link.
While the ad looks real on the surface, the Google Ads Transparency Center page (which can be accessed by clicking on the menu right next to the ad’s URL) shows this ad was created by a certain ‘BUDNIK PAWEŁ’ from Poland. According to the same report, the first ad first appeared on January 23, 2024.
As a matter of fact, we have been tracking this fraudulent advertiser for a few weeks and had reported it to Google in early February, when we first ran into it. At the time, victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT.
In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper. In the web traffic seen below, we can see that the threat actor uses a number of redirects to evade detection. URL shorteners and redirectors are quite common for the initial ad click, often followed by an attacker-controlled domain responsible for cloaking traffic.
There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.
Landing page and payload
The landing page is the decoy site that victims will see after they click on the ad. Apart from the URL in the address bar, it looks very similar to the official web site for Notion, although somewhat simplified. There are two download buttons, one for Mac and the other for Windows.
The Mac payload (Notion.dmg) is a new variant of Atomic Stealer. Thanks to Luis Castellanos from Block for sharing a sample with us.
The Windows binary is a signed file but its digital signature is not valid. The name of the signer that shows here is from the inventor of PuTTY, a popular admin tool. This digital certificate is likely fake or was revoked, but it may evade detection in some cases.
This dropper contacts the paste site TextBin where it retrieves a URL for the followup payload, Rhadamanthys. If the numbers are correct this unlisted paste was viewed 8.5k times already.
Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs (screenshot from Joe Sandbox):
Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.
Conclusion
Not a lot has changed with malvertising campaigns focused on software downloads as we enter the second year of actively tracking them. Sponsored search results continue to be highly misleading due to the fact that any verified individual is able to impersonate popular brands by using their logo and official site within the ad itself.
We are aware of reports shared within private circles, that businesses were compromised after an employee clicked on a malicious ad. Follow-up activities post infection include the usual ‘pentesting tools’ that precede a company-wide breach or ransomware deployment.
The infrastructure used in this particular attack was reported to the relevant parties. Malwarebytes and ThreatDown customers are protected against the payloads and distribution sites.
Additionally, EDR customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.
Endpoint users will see a customizable message when they click on an ad such as those that appear on a search engine results page:
In an updated #StopRansomware security advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) has warned the healthcare industry about the danger of the ALPHV ransomware group, also known as Blackcat. According to the advisory:
Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.
We have reported in the past that ransomware groups show absolutely no respect to previous promises to leave the healthcare sector alone. This is not a new phenomenon, but ALPHV focusing on healthcare specifically is a relatively new one.
On the grapevine you can hear that ALPHV asked their affiliates to focus on this industry as a kind of payback for the disruptions to their infrastructure in December last year by law enforcement.
The recent attack on Change Healthcare has been reportedly caused by ALPHV, but we don’t feel it’s right to say that they didn’t attack healthcare way before the said disruption.
The ALPHV leak site home page. Four of the last nine victims were in healthcare
ALPHV is a Ransomware-as-a-Service (RaaS) group, meaning that its ransomware is made available to criminal affiliates using a software-as-a-service (SaaS) business model. ALPHV was ranked second in the list of most active big game ransomware groups of 2023.
The ten most active big game ransomware groups in 2023, by known attacks
The ten most active big game ransomware groups in 2023, by known attacks
The ten most active big game ransomware groups in 2023, by known attacks
According to the advisory, ALPHV’s affiliates use advanced social engineering techniques and open source research on a company to gain initial access. They pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. After the initial breach they deploy remote access software such as AnyDesk, Mega sync, and Splashtop to prepare the theft of data from the network.
From the initial access they use various other legitimate, living off the land (LOTL), tools to further their access. Once the data has been safely moved to their Dropbox or Mega accounts, the ransomware is deployed to encrypt machines in the network. The latest ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, as well as VMWare instances.
It is unclear how ALPHV would stimulate attacks on healthcare institutions among its affiliates. We do understand that some of the data found during these attacks is very valuable on the underground market.
Having seen how devastating attacks on healthcare can be, we would encourage every cybercriminal involved to waive their right to be treated in any healthcare facility. Or, at least, try and realize the damage they are doing and the potential impact on people’s health.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
In late January 2024, the ThreatDown Managed Detection and Response (MDR) team found and stopped a three-month long malware campaign against a Managed Service Provider (MSP) based in Europe. In line with our observations of attackers increasingly relying on legitimate software in their attacks, the attacker employed various Living Off the Land (LOTL) techniques to avoid detection.
MSPs are a prime target of cyberattacks for two main reasons. One, they provide services to multiple clients, giving attackers access to a broader network of targets through a single breach. Two, MSPs often operate on tight security budgets, making them more vulnerable to attacks.
Almost immediately after onboarding the MSP in mid-January, the ThreatDown MDR team found extensive evidence of an ongoing malware campaign. The attackers, who targeted the MSP’s network from October 2023 to January 2024, silently monitored and manipulated the network for months, leveraging legitimate remote access tools like AnyDesk and TeamViewer and attempting to install malware like Remcos RAT and AsyncRAT.
Let’s dive into the details of this incident and how ThreatDown MDR neutralized the threat.
Initial discovery and evidence of compromise
In late October 2023, ThreatDown Endpoint Detection and Response (EDR) flagged multiple suspicious outbound connections on the MSP’s network. These were attempts to communicate with known malicious external sites and IPs, involving several endpoints within the network.
This activity was immediately blocked by ThreatDown, marking the first documented evidence of a security breach. The nature of these attempts—targeting sites associated with RDP-based attacks and other malicious activities—indicated a possible compromise.
List of malicious sites automatically blocked by ThreatDown MDR.
Expanding presence and evasion
Following the initial detections in October, the attacker quietly expanded their presence within the network. On December 8th, network scanning activity was detected from an endpoint, indicative of the attacker’s efforts to map out the network for further exploitation. This activity went beyond mere exploration, suggesting a systematic approach to identify additional targets or vulnerabilities within the MSP’s digital environment.
Escalation and discovery of malware
The situation escalated in January 2024 with the discovery of malware on several endpoints, linked to unauthorized remote access tools like ScreenConnect and AnyDesk.
This pointed towards a more aggressive phase of the attack, with the attackers deploying malware to maintain and expand their access. An attempt to uninstall McAfee via PowerShell, observed on an endpoint, further underscored the attackers’ intentions to weaken the network’s defenses.
Detection of malware leveraging RMM tools.
Ongoing surveillance and response
The implementation of ThreatDown MDR services on January 18th, 2024, was a strategic move by the MSP to gain deeper insights into the attackers’ movements. By this time, the attackers had already established a significant presence within the network, as evidenced by the attempted communications with a known AsyncRAT botnet C2 server and the discovery of additional remote management and monitoring (RMM) tools on the network.
Connections to AsyncRAT were detected and automatically blocked by ThreatDown MDR
Fortunately, the ThreatDown MDR team caught the attack in action and made several immediate recommendations for the MSP, including:
Isolating the compromised endpoints to halt the infection spread and re-imaging them for a clean slate.
Changing all administrative and local passwords three times to fortify security.
Restoring all infected endpoints from secure backups, eliminating the use of local administrator accounts, and implementing application and DNS filtering to control software usage and web access.
Threat hunting with ThreatDown MDR
How ThreatDown MDR works
MSPs continue to be a prime target in cyber attacks—and as we’ve seen in this case study, attackers are in it for the long-haul, able to remain undetected for several months after compromising a network.
The attacker’s use of legitimate tools such as TeamViewer, ScreenConnect, and PowerShell, in their months-long attack on the MSP underscores a key theme we’ve been writing about on the blog recently: attackers are increasingly relying on LOTL techniques in their attacks to avoid detection.
In this example, if the attack had been allowed to continue, the MSP could have suffered a ransomware attack, data breach, or both. Fortunately, however, by hunting down LOTL techniques for the MSP based on suspicious activity and past indicators of compromise (IOCs), the ThreatDown MDR team successfully stopped the threat.
Protecting your MSP from stealthy LOTL threats takes an elite team of security professionals scouring your systems 24×7 for IOCs and suspicious activity observed on endpoints. Learn more about ThreatDown today.
A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.
The bug was found by a bounty hunter from Nepal called Samip Aryal and has now been fixed by Facebook.
In his search for an account takeover vulnerability, the four times Meta Whitehat award receiver started by looking at the uninstall and reinstall process on Android. By using several different user agents he encountered an interesting response in the password reset flow.
After investigation, a few characteristics of the login code made it an interesting attack vector:
The code was valid for two hours
It did not change during that period when requesting it
There was no validation if you attempted a wrong login code
Combined with the fact that these codes are only 6 digits, Samip saw opportunities for a brute force attack, where an attacker repeatedly tries to access login credentials in the hope of eventually getting into an account.
After uncovering all this information, and with his extensive knowledge about the Facebook authentication process, Samip found the method to take over an account was relatively simple:
Pick any Facebook account.
Try to login as that user and request a password reset (Forgot password).
From the available reset options choose “Send code via Facebook notification”.
This creates a POST request. As part of a POST request, an arbitrary amount of data of any type can be sent to the server in the body of the request message.
Copy that POST request and use a method to try all the 100,000 possibilities. Note, 100,000 possibilities may sound like a lot, but given the two hour time-frame there are plenty of options to do that.
The matching code responds with a 302 status code, a redirect that confirms the search was successful.
Use the correct code to reset the password of the account and the attacker can now take over the account.
There was one caveat. The owner of the account will see the notification on the device they are logged in with. And strangely enough the notifications came in two flavors.
The difference in notification which makes it a zero-click or not
The first one works as described above, but the second one does require the account owner to tap that notification before Facebook generates a login code. That makes it a lot harder to take over the account.
A detailed report of how Samip found the vulnerability is available on his Medium page.
Facebook has awarded Samip a bounty and fixed the issue. Together with other bounty hunters, Samip submitted hundreds of reports to Meta which they resolved, making Facebook and other platforms a safer place along the way.
Paying attention pays off
There are a few takeaways from this method that Facebook users, and users of other platforms for that matter, might use to their advantage.
Pay attention to the signs that a password request has been initiated (email, notifications, texts, etc.) Somebody could be trying to take over your account. Follow the instructions on the password reset notification if it’s not you doing the reset.
One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.
Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.
“The property is listed on several websites so contact me directly by mail to check for availability.”
So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.
“My name is Carla Taddei, I am a co-host of this property, your dates are available.
The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.
Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com
If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”
Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.
However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.
Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.
The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.
“Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.
Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.
Please forward and the payment confirmation once done so I can validate your booking.”
The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.
One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.
Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.
We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.
How to recognize and avoid scams
There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.
When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
Double check the website again before entering personal details or financial information.
Keep your software updated and use a web filter that will alert you to suspicious sites.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Pig butchering scams are big business. There are hundreds of millions of dollars involved every year. The numbers are not very precise because some see them as a special kind of romance scam, while others classify them as investment fraud.
The victims in Pig Butchering schemes are referred to as pigs by the scammers, who use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the butchering–meaning they’ll be bled dry of their money.
And they usually start by someone sending you a message that looks like it’s intended for someone else.
Scammers trying to initiate pig butchering scams
The accounts sending the messages often use stock photographs of models for their profile pictures. But even though you won’t know these people, a simple reply of “I’m not Steve, but…” is almost exactly what the scammers want—an initial foothold to talk to you a bit more.
After some small talk, the scammer will ask if you’re familiar with investments, or cryptocurrency. They’ll then do one of two things:
Direct you to a genuine cryptocurrency investment portal, and send you some money to invest or have you do it on your own dime. Eventually you’re asked to transfer all funds and/or profit to a separate account which belongs to the scammer. At that point, your money has gone and the proverbial pig has been butchered after a period of so-called “fattening up” (in other words, gaining your trust and convincing you to go all out where investing is concerned).
Direct you to a fake cryptocurrency site, often imitating a real portal. The site may well have its numbers tweaked or otherwise deliberately altered to make it look as though your suggested investments are sound bets. The reality is that they are not, and by the time you realize it, your money has gone.
Once you are satisfied with the profit on your investment and decide to cash out, the problems come at you from different directions. A hefty withdrawal fee, a huge tax to be paid, will need to be paid to get your money back. Which you won’t, but this is the last drop the scammers will try to wring out of you.
John Oliver talked at length about Pig Butchering scams in the latest episode of Last Week Tonight with John Oliver (HBO), lifting the lid on some shocking examples of people who got scammed, and the role that organized crime plays behind the scenes. (Note that you’ll need to be in the USA to watch it, or have a good VPN
As John Oliver put it:
“You may have an image of a person who might fall for pig butchering, but unless you are looking in a mirror, you might be wrong.”
So here are some pointers.
How to avoid becoming the pig
The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:
Stray messages for “someone else” appear out of the blue.
The profile pic of the person you’re talking to looks like someone who is a model.
Common scam opening lines may involve: Sports, golfing, travel, fitness.
At some point they will ask you about investments and/or cryptocurrency.
They will ask you to invest, or take some of their money and use that instead.
As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).
Digital Footprint scan
If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.
Cybercriminals are targeting Mac users interested in cryptocurrency opportunities with fake calendar invites. During the attacks the criminals will send a link supposedly to add a meeting to the target’s calendar. In reality the link runs a script to install Mac malware on the target’s machine.
Cybersecurity expert Brian Krebs investigated and flagged the issue.
Scammers, impersonating cryptocurrency investors, are active on Telegram channels to get interested people to attend a meeting about a future partnership.
One of those investors called Signum Capital tweeted a warning on X in January that one of their team members was being impersonated on Telegram and sending out invites by direct message (DM).
Heads up! A fake account pretending to be one of our team members is going around DM-ing people on Telegram.
The criminals reach out to targets by DM on Telegram and ask if they have an interest in hearing more about the opportunity in a call or meeting. If they show interest they will be sent a fabricated invitation for a meeting. When the times comes to join the meeting the invitation link doesn’t work. The scammers tell the victim it’s a known issue, caused by a regional access restriction, which can be solved by running a script.
We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed to look at this method. This isn’t the first time criminals have used scripts to compromise users, he told us.
“AppleScript has been used against Mac users with moderate frequency by malware creators over the years. It has the advantage of being very easy to write, and if compiled, is also extremely difficult to reverse engineer.”
According to Reed, AppleScripts can be provided in a few different forms. One is a simple .scpt file that opens in Apple’s Script Editor app. This has a few drawbacks for criminals: A victim would need to click something within Script Editor to run the script, and they would able to see the code, which might be a problem because AppleScript tends to be more human readable than most other scripts. However, there are ways to obfuscate what the code is doing, and many users won’t bother to read it anyway.
Another option is an AppleScript applet. This is something that acts like a normal Mac app. It contains a basic AppleScript executable and the script to be run. In this form, the script can be code signed, notarized, given an icon, and otherwise made to appear more trustworthy. The code could be pretty bland, and unlikely to trigger any kind of detection from Apple’s notarization process, but could download and execute something less trustworthy.
Scripts have another advantage for criminals, Reed warned.
“AppleScripts also have the advantage of being able to very easily get administrator permissions.”
A script that attempts to run a command with administrator privileges will ask users to authenticate, triggering a password dialog.
If the user enters their password, the script doesn’t actually get to see it, but everything else the script attempts to do “with administrator privileges” will successfully run as root without further authentication. This makes it very easy for the script to show a standard authentication request dialog and trick the user into giving root permissions.
“So, in summary, AppleScript can be quite effective for writing malware. In fact, some malware has been written exclusively – or almost exclusively – in AppleScript, such as OSX.DubRobber or OSX.OSAMiner.”
In this case, the script was a simple Apple Script that downloaded and executed a macOS-oriented Trojan. The nature of the Trojan is unknown, but it certainly won’t surprise anyone if it turns out it was a banking Trojan that specializes in stealing cryptocurrencies.
Recognizing the scam
To avoid falling victim to these scammers, it’s good to know a few of their tactics.
Targets are approached by DM on Telegram.
Topics are cryptocurrency investment opportunities.
The scammers have a preference for the Calendly scheduling platform.
A fake “regional access restriction” creates a sense of last minute urgency.
The script had the .scpt (Apple script) extension.
The script was hosted on a domain that pretended to be a meeting support site.
The presence of Mac malware is unfortunately still underestimated, but you can find protection by Malwarebytes for Mac and protect Mac endpoints in your environment by ThreatDown solutions.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot.
A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads.
After QBot got shut down, there was a vacuum in the ransomware gang tool box—but with PikaBot, that’s beginning to change: last month we wrote about the first recorded instance of PikaBot being used by ransomware gangs, specifically Black Basta, in their attacks.
Let’s dig into how PikaBot works, how it’s distributed, how ransomware gangs use it in their attacks, and how to stop it with ThreatDown.
A closer look at PikaBot
To get a better idea of how PikaBot works, we need to first understand what a modular trojan is.
Simply put, a modular trojan is a type of malware designed to be flexible and extensible, allowing attackers to add or update its functionalities easily without needing to replace the whole malware.
The modular nature of trojans like QBot and PikaBot are what makes them so dangerous. Unlike simpler malware, PikaBot can execute arbitrary commands, download additional payloads, and inject malicious shellcode into legitimate processes running on a victim’s computer. Think of it like a backdoor that allows attackers to set up for the next stages of their attacks.
Once it’s installed onto a system, PikaBot has a whole host of ways to stay under the radar, evading detection by most conventional security tools through techniques like indirect system calls and advanced obfuscation methods.
How Pikabot is distributed
The distribution of PikaBot, like many other malicious loaders such as QBot and DarkGate, is heavily reliant on email spam campaigns. Even so, ThreatDown Intelligence researchers have seen PikaBot being delivered via malicious search ads as well (also known as “malvertising”).
PikaBot’s initial access campaigns are meticulously crafted, utilizing geolocalized spam emails that target specific countries. The emails often contain links to external SMB (Server Message Block) shares, which host malicious zip files.
SMB shares are network folders leveraging the SMB protocol—a network file sharing protocol designed for sharing files and printers across devices on a network. Attackers often use SMB shares to distribute malware. In this case, downloading and opening the hosted zip file results in PikaBot infection.
For example, consider the below phishing email containing a link to a zip file containing the PikaBot payload.
Source: ANY.RUN (Translation: I sent you some paperwork the other day. Did you get it?)
Once the recipient interacts with these emails by clicking on the link, they are taken to the SMB share hosting the malicious zip files.
Extracting a zip and double-clicking on the executable within it will install PikaBot.
Ransomware gangs commonly use modular trojans like PikaBot for their attacks.
Before it was shut down, for example, Qbot allowed ransomware gangs to seamlessly integrate various attack techniques into their operations, including stealing credentials, moving laterally across networks, and ultimately deploying ransomware or other malicious payloads.
PikaBot is being used by ransomware attackers in a similar way.
Once PikaBot has established a foothold in a network, it allows attackers to engage in a wide range of follow-up activities.
For example, researchers have noted affiliates of the BlackBasta ransomware gang using PikaBot to use encrypted communications with command and control (C&C) servers. Pikabot can also assist gangs in getting detailed information about infected systems, helping them tailor their ransomware for maximum impact.
How to stop PikaBot with ThreatDown
Besides preventing initial access through things such as a web content filter and phishing training, choosing an Endpoint Detection and Response (EDR) platform that automatically detects and quarantines threats like PikaBot is crucial.
ThreatDown EDR automatically detects and blocks PikaBot
However, given the constant evolution of malware, identifying dynamic threats like Pikabot boils down to two words: threat hunting.
At ThreatDown, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when an attacker breaches a network, they don’t attack right away. The median amount of time between system compromise and detection is 21 days.
By that time, it’s often too late. Data has been harvested or ransomware has been deployed.
Threat hunting helps find and remediate highly-obfuscated threats like PikaBot that can quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”
For example, as detailed in one case study, the ThreatDown Managed Detection and Response (MDR) team employed threat hunting techniques to uncover and neutralize a sophisticated QBot attack on a reputable oil and gas company. The team’s approach involved meticulously examining Indicators of Compromise (IoCs), analyzing network traffic, and scrutinizing unusual patterns of behavior within the company’s IT infrastructure, ultimately resulting in Qbot’s discovery on the network and isolation of infected systems.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
A California federal judge has ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.
Meta-owned WhatsApp has been fighting NSO in court since 2019, after Pegasus was allegedly used against 1,400 WhatsApp users over the period of two weeks. During this time, NSO Group gained access to the users’ sensitive data, including encrypted messages.
NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public. However, the company also says it recognizes that some customers might abuse the abilities of the software for other purposes.
Earlier in the court case, NSO Group argued it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries. NSO Group is closely regulated by the Israeli ministry of defense, which reviews and has to approve the sale of all licenses to foreign governments or entities. This is likely also the reason why NSO Group claimed to be excused of all its discovery obligations in the case, due to various US and Israeli restrictions.
NSO Group argued it should only be required to hand over information about Pegasus’ installation layer, but this was denied by the court. The judge ordered NSO Group to provide the plaintiffs with the knowledge needed to understand how the relevant spyware performs the functions of accessing and extracting data.
WhatsApp said that the decision is a major victory in its mission to defend its users against cyberattacks. This may be true if a better understanding of how the spyware works leads to improvements that can thwart future abuse.
However, this is no reason to assume that this will bring an end to NSO Group’s capabilities or willingness to spy on WhatsApp users. NSO Group doesn’t have to disclose the identity of its clients and it only has to produce information concerning the full functionality of the relevant spyware, specifically for a period of one year before the alleged attack to one year after the alleged attacks, which means from April 29, 2018 to May 10, 2020. Things have developed since then.
The US sanctioned NSO Group in 2021 for developing and supplying cyber weapons to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.
After that period we saw many zero-day vulnerabilities brought to light in browsers and other online applications very likely used by the NSO to compromise mobile devices.
We don’t just report on phone security—we provide it
Login
